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ABSTRACT 


There is little to no research and literature available comparing the security offerings of 
different cloud providers, with security apparently being an afterthought in the decision 
making process when choosing a Cloud Service Provider (CPS) 

That is an issue this paper addresses by performing an evaluation of the security offer- 
ings of the three big Amazon Web Services (AWS), Microsoft Azure and Google Cloud 
Platform (GCP). 

Data and information are gathered and compared, about which security features are 
present in the Cloud Security Posture Management (CSPM) solution, as well as in classic 
cloud computing services. 

The collected data is then used to calculate a score for each CSP’s performance in the 
categories Virtual Machine, Container and CSPM. 

The weights for these calculations are chosen for two use-cases. One use-case represents 
organizations with mature cloud security postures and focuses more on feature complete- 
ness, while the other use-case places a bigger focus on providing secure default configura- 
tions for organizations without mature cloud security posture. 

The results are grouped tightly together, indicating that all three evaluated CPSs have 
security offerings of relatively similar qualities. 

That said, Azure takes the top place for Virtual Machine Security and their CSPM so- 
lution, which has the advantage of offering multi-cloud support, which it’s competitors 
don’t. GCP places first for Container security and Serverless Computing Security. 
Finally, for IAM solutions in the cloud, all three evaluated CSPs are tied for first place, 
offering simlar functionalities. 
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1 INTRODUCTION 


The advent of cloud computing has transformed how companies handle and maintain data, 
providing unmatched adaptability and growth potential. Concurrently, as reliance on these 
solutions intensifies, it is crucial to implement strong security safeguards to preserve confidential 
data and uphold the continuous uninterrupted functioning of operations. Therefore, this thesis 
aims to contribute to furthering the knowledge in this area. This chapter will lay out the 
background and motivation of this thesis which handles the evaluation and comparison of the 
security offerings of the big three cloud service providers Amazon Web Services, Microsoft Azure 
and Google Cloud Platform. 

At the beginning, the research question it aims to answer and the objectives will be further 
explained. 

Then, the scope and limitations of this thesis will be set in section 1.3. 

Finally, the methodology will be laid out in section 1.4 before the foundational and main parts 
of the thesis begin. 


1.1 Background and Motivation 


Cloud computing has revolutionized the way organizations manage and store data, delivering 
unprecedented levels of agility, scalability, and cost efficiency. 

As the global cloud computing market continues to expand, with public cloud computing services 
growing in revenue from 42.8 billion USD in 2010 to 412.63 billion USD with cautious projections 
estimating it to reach 591.79 billion USD in 2023, as visualized in the following figure|1], the 
importance of securing data and applications in the cloud has become a paramount concern for 
organizations across industries. 
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Figure 1: Revenue generated with cloud computing|1| 


However, when choosing a Cloud Service Provider (CSP), too often security is not an important 
factor for the final choice, but rather an afterthought where the reguirement for security solutions 
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is merely for them to exist in the first place, not to excel auality. 

This is evidenced by the result of the IBM 2022 Cost of a Data Breach report, which interviewed 
3600 individuals from 550 organizations, finding that 43% of organizations are in the early stages 
of applying security practices to safeguard their cloud environments or have not even started and 
only 23% of organizations self identifying their cloud security posture as mature, which is defined 
as "applying security practices consistently across all domains".[8] 

45% of those surveyed organizations had a data breach with 2200 or more records compromised, 
resulting in significant financial loss.[8] 

Within the group of organizations which had startet applying security practices in the cloud, 
there was further differentiation in the average cost of data breaches, where the cost of a data 
breach for organizations in the early stages was 720,000 USD higher than for organizations with 
mature cloud security. 

Furthermore, little research and literature comparing and evaluating the security posture and 
solutions of the different CSPs is available, making it hard to integrate security in the decision 
making process. To add on top of that, the research, documentation and literature which are 
available are focused on single services or functionalities, often also focusing on one single CSP, 
not comparing solutions across the board. 

This leads to a gap in research and knowledge as to how the different CSP's security solutions 
compare side-by-side. 


1.2 Research Ouestions and Objectives 


This paper sets out to fill this gap in research and knowledge by answering the following ques- 
tion: "What are the differences between the security offerings of the different Cloud Service 
Providers?". The objective is to find out, what the commonalities and differences of the respec- 
tive implementations and solutions are. Furthermore, the goal is to find out which CSP employs 
the most secure configurations by default, after careful consideration by the customer, or not at 
all. 


1.3 Scope and Limitations 


Since the goal is to evaluate the security offerings of the CSPs, services and solutions offered by 
third parties, be they commercial or free open source, are out of scope for this thesis. 
Furthermore, the evaluation is limited to solutions that can be achieved with relatively minimal 
effort from the customer, alas to stay within the evaluation of the CSPs security offerings and 
not delineate into the possibilities of building one's own security solutions, which is a valid un- 
dertaking and tangential to this topic, but not expedient to answering the research guestion. 
For example of a self-built solution that is out of scope is the processing of a forensic image 
through an event-driven seguence of serveless computing functions would be out of scope, since 
while the main components, the event-bus and the serverless computing functions are services 
and offerings from the Cloud Service Provider, the solution itself, the idea for it and its guality 
are highly dependent on the implementing party's skills and effort. 

Another limitation to the evaluation is that all data and information that is used is gathered 
from publicly available sources, since the CSPs have very strict pentesting policies. 

As shown in Figure 2, in the 4h guarter of 2022, the three Cloud Service Provider (CSP) 
with the biggest shares in revenue are Amazon Web Services (AWS)(35%), Microsoft Azure 
(Azure)(32%)and Google Cloud Platform (GCP)(10%). 
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Together they take up 65% of the cloud computing marketshare. 

Because of this and in order to limit the scope of this thesis and its results to a manageable and 
digestible size, while ensuring coverage of most organization's CSPs, these three were chosen as 
a representative sample to conduct the research on. 


A « Microsoft Azure 23% 


* Andere 35% 


Google Cloud 10% + AWS 32% 


Figure 2: Marketshare of CSPs for Cloud computing|2| 


1.4 Methodology 


As for the methodology, initially data on the solutions’ and services’ features and capabilities 
will be collected by testing the services and gathering information from documentation. 

The collection process will be documented in the respective chapters alongside with an explana- 
tion on why certain features are relevant for security. 

Then, the collected data and information will be evaluated by calculating scores based on relevant 
use-cases. Since the IBM Data Breach report 2022 showed, that 17% or organizations have no 
cloud security management at all and 26% are in the early, 34% are in the mid and 23% mature 
stage of applying cloud security management, the decision was made to use two use-cases which 
are as follows: 

Use-case A is an organization with a mature cloud security posture which has established security 
best practices, processes and governance throughout its entire cloud and organization, as well as 
expert teams who are continuously developing and implementing these. 

For this use-case, the most important factors are feature completeness and capabilities, thus 
providing certain features to a satisfiable degree by default will yield 5 points towards the score 
and features that are provided, but need to be selected and activated will yield 4 points, since the 
likelihood of them being used either way is very high, but not 100% in scenarios where there are 
blind spots in the governance processes or edge-use-cases, leading to shadow IT or suboptimal 
configurations. 

Use-case B is an organization which is relatively new to cloud security. Governance processes 


STEFAN BONEDER BACHELOR THESIS 


= 


have not yet been implemented across the board, knowledge and experience are scarce and best 
practices are rarely implemented. 

Here, Security relevant features in the services and offerings of a CSP often lead to them getting 
lost in the overwhelming flood of information and options one is initially faced with when creat- 
ing cloud IT and thus often not being used at all, making them less secure. 

Therefore, for this use-case, providing certain features to a satisfiable degree by default will yield 
5 points towards the score and features that are provided, but need to be selected and activated 
will yield 2 points, since the likelihood of them being used if not enabled by default is lower. 
For both use-cases, features that are not available yield 0 points and features that are only partly 
available or othewise unsatisfactory yield 3 points if enabled by default and 1 point if not enabled 
by default. 

For example, a CSP-specific service offering security-relevant feature a, b and c by default, while 
offering feature d and e if they are enabled, not offering feature f at all, offering feature g badly 
by default and feature h badly and not by default will lead 5+5+5+4+4+0+3+1— 27 points of 
40 in use-case A and 54+5+5+—2+2—0+3—+1= 23 out of 40 points in use-case B. 
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2 THE CLOUD MODEL 


The United States National Institue of Standards and Technology (NIST) has defined cloud com- 
puting as "a model for enabling ubiquitous, convenient, on-demand network access to a shared 
pool of configurable computing resources (e.g. networks, storage, applications, and services) that 
can be rapidly provisioned and released with minimal management effort or service provider in- 
teraction.This cloud model is composed of five essential characteristics, four deployment models 
and three service models." [9] 


2.1 Essential Characteristics 


e On-demand self service: 


A consumer can unilaterally provision computing capabilities, such as server time and 
network storage, as needed automatically without requiring human interaction with each 
service provider.[9] 


Broad network access: 

Capabilities are available over the network and accessed through standard mechanisms that 
promote use by heterogeneous thin or thick client platforms (e.g.,mobile phones, tablets, 
laptops, and workstations). [9] 


Resource pooling: 

The provider’s computing resources are pooled to serve multiple consumers using a multi- 
tenant model, with different physical and virtual resources dynamically assigned and reas- 
signed according to consumer demand. There is a sense of location independence in that 
the customer generally has no control or knowledge over the exact location of the provided 
resources but may be able to specify location at a higher level of abstraction (e.g., country, 
state, or datacenter). Examples of resources include storage, processing, memory, and 
network bandwidth.[9] 


Rapid elasticity: 

Capabilities can be elastically provisioned and released, in some cases automatically, to 
scale rapidly outward and inward commensurate with demand. To the consumer, the 
capabilities available for provisioning often appear to be unlimited and can be appropriated 
in any quantity at any time.[9] 


Measured service: 

Cloud systems automatically control and optimize resource use by leveraging a metering 
capability at some level of abstraction appropriate to the type of service (e.g., storage, 
processing, bandwidth, and active user accounts). Resource usage can be monitored, 
controlled, and reported, providing transparency for both the provider and consumer of 
the utilized service.[9] 


ST 
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2.2 Deployment Models 


e Private cloud: 
The cloud infrastructure is provisioned for exclusive use by a single organization comprising 
multiple consumers (e.g., business units). It may be owned, managed, and operated by 
the organization, a third party, or some combination of them, and it may exist on or off 
premises.[9] 


e Community cloud: 
The cloud infrastructure is provisioned for exclusive use by a specific community of con- 
sumers from organizations that have shared concerns (e.g., mission, security requirements, 
policy, and compliance considerations). It may be owned, managed, and operated by one 
or more of the organizations in the community, a third party, or some combination of them, 
and it may exist on or off premises.|9] 


e Public cloud: 
The cloud infrastructure is provisioned for open use by the general public. It may be 
owned, managed, and operated by a business, academic, or government organization, or 
some combination of them. It exists on the premises of the cloud provider.[9] 


e Hybrid cloud: 
The cloud infrastructure is a composition of two or more distinct cloud infrastructures 
(private, community, or public) that remain unique entities, but are bound together by 
standardized or proprietary technology that enables data and application portability (e.g., 
cloud bursting for load balancing between clouds).[9] 


2.3 Service Models 


There are three main types of service models through which cloud services are typically offered. 
Some providers go more into detail and some companies differ from these models, but even in 
those cases, it is just a more specific or a combined version of these three main categories. 


e Software as a Service (SaaS): 

The capability provided to the consumer is to use the provider's applications running 
on a cloud infrastructure. The applications are accessible from various client devices 
through either a thin client interface, such as a web browser (e.g., web-based email), or 
a program interface. The consumer does not manage or control the underlying cloud 
infrastructure including network, servers, operating systems, storage, or even individual 
application capabilities, with the possible exception of limited user-specific application 
configuration settings.|9] 


e Platform as a Service (PaaS): 
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer- 
created or acquired applications created using programming languages, libraries, services, 
and tools supported by the provider. The consumer does not manage or control the un- 
derlying cloud infrastructure including network, servers, operating systems, or storage, 
but has control over the deployed applications and possibly configuration settings for the 
application-hosting environment.[9] 
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e Infrastructure as a Service (laaS): 
The capability provided to the consumer is to provision processing, storage, networks, and 
other fundamental computing resources where the consumer is able to deploy and run 
arbitrary software, which can include operating systems and applications. The consumer 
does not manage or control the underlying cloud infrastructure but has control over op- 
erating systems, storage, and deployed applications; and possibly limited control of select 
networking components (e.g., host firewalls).[9] 


A study about the global revenue of cloud computing from 2010 to 2023 published by Gartner 
in 2022 puts these service models into perspective and shows their revenue share respective to 
each other.[10] According to this study, back in 2010 the total revenue for cloud computing 
was 14.23 billion USD. SaaS was responsible for 10.75 billion USD which translates to 75.54%. 
Another 2.88 billion USD were generated through laaS, giving it a revenue share of 20.24%. 
The remaining 4.22% revenue share belonged to PaaS with its 600 million USD. Since then, 
the revenue generated through cloud computing services has steadily grown each year to 327.13 
billion USD in 2021 with an optimistic projection of 393.55 billion USD in 2022 and 481.87 billion 
USD in 2023. This growth is comprehensively visualized in the following figure. 
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O Cloud Application Services (SaaS) O Cloud Infrastructure Services (laaS) 
Cloud Application Infrastructure Services (PaaS) @ Cloud Management and Security Services 
O Desktop as a Service (DaaS) ® Cloud Business Process Services (BPaaS) 


Figure 3: Development of cloud computing revenue divided by service model 
[10] 


Even though all three segments of cloud computing were able to increase their revenue in absolute 
numbers each year, the ratio of their share of revenue has changed since 2010. In 2021, SaaS was 
responsible for a revenue of 146.33 billion USD, bringing it’s share of revenue down from 75.54% 
to 44.73%. TaaS was able to increase its share during the same timespan from 20.24% to 31.18%. 
In 2021, it generated 90.89 billion USD which is 30.56 times more than back in 2010. Even more 
impressive than that is the growth for PaaS. Increasing it’s revenue by almost 150 times from 
600 million USD in 2010 to 89.91 billion USD in 2021 came with a roughly sevenfold increase in 
revenue share from 4.22% to 28.31%. 
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To summarize: the amount of revenue generated through cloud computing is steadily and guickly 
increasing. In addition, the relative importance of SaaS is slowly diminishing, while IaaS and 
PaaS are gaining in relevance. 

Looking at these trends and numbers from a security perspective offers two important insights. 
As cloud computing becomes increasingly widespread and more and more money is being spent, 
it will also likely draw increased attention of cybercriminals. Additionally, as laaS and PaaS are 
increasing in popularity, the responsibility and control of security in the cloud are shifting away 
from the providers and towards the customer, as described in the shared responsibility model. 


2.4 Shared Responsibility Model 


In public clouds, the responsibility of ensuring security and compliance is usually shared between 
the customer and the Cloud Service Provider (CSP). 

Typically, the CSP is responsible for the security of the cloud, meaning that the resources 
and services they provide are secure and compliant with the law and other regulations, while 
the customers are responsible for security in the cloud, meaning that they are responsible for 
configuring and using the provided resources and services in a secure and compliant manner. 
Where the border between the user’s and the CSP’s responsibility lies is generally determined by 
the type of service model being used, as well as the contractual agreements which are individual 
to each provider. 


AWS 

As shown in the image below, AWS defines the customer’s responsibility as security in the cloud 
and AWS’ resonsibility as security of the cloud. Which resources fall under whose responsibility 
varies from use case to use case and from service to service, but a general overview can be seen 
in the following figure. 
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REGIONS AVAILABILITY ZONES EDGE LOCATIONS 


Figure 4: Division of responsibility in AWS[3] 


In general, AWS is responsible for the resources, including hardware, software, networking, and 
facilities, it provides and depending on the service also for the security of said service’s software 
and the users are responsible for making secure configurations and using the provided services 
in a save manner, as well as obliging to legal regulations. 

The customer’s responsibilities vary depending on the services used and applicable laws and 
regulations, but in general, they are responsible for managing the guest operating system, appli- 
cation software, and firewall configurations for the services they choose. 

The management, operation, and verification of IT controls are also shared between AWS and 
its customers. There are three types of controls that may be managed by AWS, the customer, 
or both: inherited controls, shared controls, and customer-specific controls. 

Customers can use the AWS control and compliance documentation! to evaluate and verify their 
controls. 


Azure 

Similar to AWS, in Azure’s shared responsibility model, where the responsibility lies depends on 
whether the customer is using Infrastructure as a Service (IaaS), Platform as a Service (PaaS), 
or Software as a Service (SaaS). On-prem is also shown in the figure below, but since that is not a 
cloud-service offered by Azure, it is out of scope for this evaluation and will therefore be ignored 
in the following paragraph explaining the figure and Azure’s shared responsibility model.|4] 


"https://aws.amazon.com/compliance/ 
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Figure 5: Division of responsibility in Azurc[4] 


Azure draws the line between the customer and it’s own responsibility a little bit differently than 
AWS, as it groups them by service delivery model. 

Three categories, where the responsibility always lies with Azure are physical hosts, network and 
datacentcrs.[4] 

The difference comes with Identity and directory infrastructure, applicaitons, network controls 
and the operating system. 

For laaS, all of these are the customer’s responsibilities. 

For PaaS, Azure takes over the responsibility of choosing, operating, maintaining and config- 
uring the operating system while 1t also starts sharing the responsibility for network controls, 
applications and identity and directory infrastructure. 

Whereas for SaaS, all of the before mentioned responsibilities except identity and directory in- 
frastructure, where the responsibility are shared, are under the management and responsibility 
of Microsoft.[4] 

Finally, three categories where the customer always has the responsibility, no matter whether he 
is using a laaS, PaaS or SaaS Service Model, are Information and Data, Devices, and Accounts 
and Identities.[4] 


GCP 

GCP deploys the shared responsibility model in a similar fashion to Azure and AWS, with the 
distinction of either GCP or the customer taking full, not shared responsibilities for each of the 
domains as shown in the figure below. 
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Figure 6: Division of responsibility in GCP [5] 


On-prem is also shown here, but since that is not a cloud-service offered by GCP, it is out of 
scope for this evaluation and will therefore be ignored in the following paragraph explaining the 
figure and GCP’s shared responsibility model. 

In laaS, most of the security responsibilities, such as content, access policy, usage, deployment, 
web application security, identity, operations, access and authentication, network security, data, 
content and guest OS are the customers, and GCP’s responsibilities are focused on the un- 
derlying infrastructure and physical security, such as audit logging, networks, storage and en- 
cryption, hardened kernel and Interprocess Communication (IPC), physical hardware and boot 
management.[5] 

In PaaS, GCP is responsible for more controls than in laaS, namely identity, operations, access 
and authentication, network security, data, content, guest OS, audit logging, networks, storage 
and encryption, hardened kernel and IPC, physical hardware and boot management. The cus- 
tomer remains responsible for content, access policy, usage, deployment, web application security 
protection."[5] 

In SaaS, GCP owns almost all of the security responsibilities except the access policies and 
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content, which the customer remains responsible for.[5] At this point, it should be noted, that 
GCP also coined the term "Shared Fate" in the context of shared responsibility.[5] Shared fate 
is the conceptualization that disruption in any of the services used impacts both GCP and the 
customer negatively, no matter who is at fault. It is an umbrella term for several tools, guides 
and services GCP provides to the customer for them to get started and improve their security 
posture, which is something other CSPs offer as well, just not under that term. Since it does not 
introduce new concepts, which would be relevant for the scope of this evaluation, it will not be 


further elaborated. 
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3 CLOUD COMPUTING FUNDAMENTALS 


Before evaluating the efficacy and quality of security offerings, it is important to determine, what 
should be protected. 

The following section will lay out the different software and architecture components commonly 
used in cloud environments. 

As the three different CSPs use different terminology for the same basic concepts of cloud comput- 
ing and services, each term will also have some subsections exploring the respective terminology 
and implementation for each CSP, as differences in implementation might already result in dif- 
ferences in security. 

One aspect that will specifically be highlighted where applicable is the default options, as cloud 
features such as the quick time to release and the low barrier of entry of the cloud in combina- 
tion with an overwhelming amount of customization options will naturally result in many users 
initially not deferring from the default option, meaning that potentially insecure default options 
lead to less secure cloud services. 

Where appropriate, other security implications are pointed out as well. 

These findings will be summarized in a table at the end of the section. The cells inside these 
tables are color coded to show their security implications. 

Green means that this is optimal for security, yellow means suboptimal or that further configura- 
tion is needed to reach an optimal solution, red means detrimental to the company’s IT security 
and white means that this does not impact security but is strictly informational. 


3.1 Virtual Machine 


In cloud computing, virtual machine services are the closest one can get to traditional servers and 
physical computers. Typically, a hypervisor, running on the actual physical machine, emulates 
the hardware resources of a physical computer for an operating system of the customer’s or user’s 
choosing. 
This allows for multiple virtual machines to coexist one one physical machine. These virtual 
machines, can usually also be stopped or shut down, so that the resources, except dedicated 
storage space, occupied by them are freed up. 
Depending on the cloud provider and service model, it can thus either be, that the virtual 
machines of several customers are running on the same actual piece of hardware and are only 
separated virtually, or that there are dedicated servers for each and every customer, that are 
either in the custody of the provider or the customer themselves. 

Generally, it can be assumed, that customers using public, hybrid and community cloud service 
models share the same physical hardware resources with other customers while being logically 
separated. 

In normal intended use-case-scenarios, this is not noticeable and the customer generally has no 
knowledge of the hardware they are using and no way of knowing or getting to know, which 
other services and users they share the hardware with or to influence these in any type of way. 

Under normal circumstances, this would not pose a security risk in and of itself. But in the case 
of an attacker who is either able to compromise a third party’s cloud account or creates a cloud 
account through the normal process, this opens a new attack vector. 
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AWS 

AWS’ solution for Virtual Machines in the cloud is called Elastic Compute Cloud, more com- 
monly called EC2. 

Upon launching an EC2 instance, one has to choose an Amazon Machine Tmage(AMT). This 
AMI contains the configuration for the VM’s operating system, architecture and pre-installed 
applications. AWS themselves provides 170 different implementations of several Windows ver- 
sions and Linux distributions. Additionally, there is a marketplace, where trusted third-party 
companies can offer their AMI implementations, as well as a community marketplace, where 
basically anyone can publish their AMIs after verifying their identity. 

On top of that, AWS allows you to create your own AMIs. This provides the opportunity for 
additional hardening measures that would not be sensible, legal or implementable for third par- 
ties, such as pre-installing EDR agents or other licensed security products. 

After selecting one’s preferred AMI, one can select the VM instance’s virtual hardware resources. 
AWS gives you the option to use up to 448 virtual CPUs, 12288 GiB of virtual RAM, 60.000 GB 
of virtual disk space and 100 Gbit/s. 

If the VM’s operating system is Linux-based, one can create a cryptographic key pair with either 
a .pem or .ppk file extension in order to later login remotely via SSH into the VM. 

Once the former setup steps are completed, the network settings are in order. AWS reguires you 
to choose a Virtual Private Cloud (VPC) in which the instance will be launched and gives you 
the option to choose a subnet and to specify a public IP to the instance that differs from the 
one otherwise automatically generated by default. Furthermore, one can either select an existing 
firewall security group or create a new one. This security group gives you the option to allow 
or disallow traffic from either anywhere, nowhere or a custom range to the instance via HTTP, 
HTTPS and SSH. The default option is to allow SSH traffic from any IP address and disallow 
HTTP and HTTPS traffic. 

Furthermore, there are some advanced customizations that can be applied. In general, all of the 
following options can be preconfigured through a template. The behaviour described applies if 
of no template for that specific option being applicable. It is possible to join the instance into a 
Microsoft Active Directory managed through the AWS Directory service. It is also possible, to 
select or create a new IAM instance profile which may deviate from the default one. 

There is also an option to enable hibernation for instances. Hibernating EC2 instances is similar 
to stopping them, but in hibernation, the RAM 's contents are preserved. This is especially useful 
and in some cases of critical importance during incident response and forensic investigation. For 
example, research has shown, that some ransomware families leave the cryptographic keys used to 
encrypt the victims files in the working memory|1 1]. In an attack scenario where the ransomware 
attack is detected in time, the EC2 instance could be hibernated in order to prevent the attack 
from continuing while it is investigated. The keys retrieved from the hibernated memory could 
then be used to decrypt the already encrypted files. Unfortunately, this option is not enabled by 
default and can not be enabled after launching the instance. 

Furthermore, AWS provides the option to provide EC2 instances with termination and stop pro- 
tection. If this protection is enabled, these instances can not be terminated or stopped through 
the AWS console or API calls, unless the protection is removed. This allows the user to protect 
their services and processes that are running on certain instances from disruption. Unfortunately, 
this protection is not enabled by default. 

On top of that, detailed CloudWatch monitoring can be enabled for said instance, but of course 
at a price. 

Another option, that is not directly tied to security, but may have implications for finances and 
could be used in a so called Denial-of- Wallet attack is the credit specification option. This allows 
certain types of EC2 instances to temporarily exceed their reserved virtual hardware resources. 
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Additional security for instances in which sensitive data is processed can be achieved by enabling 
the instance to be a AWS Nitro Enclave. This addresses the concern of side-channel-attacks on 
hardware resources shared by multiple virtual systems through providing additional isolation in 
a trusted execution environment. 

The advanced settings also allow the user to disable access to the instance’s metadata via HTTP. 
In theory, this metadata can only be accessed from within the respective EC2 instance, but in 
practice, this restriction can easily be circumvented, for example by a Server Side Request Forgery 
(SSRF) attack. While not being a direct vulnerability for the instance and not exposing secret 
information, the metadata provided by AWS is quite extensive and gives attackers a lot of valu- 
able information that would otherwise have to be collected through reconnaissance techniques 
which might allow early detection of the activity and attack. 

The metadata includes, but is not limited to the instance’s AMI ID, autoscaling lifecycle state, 
scheduled maintenance events, the IAM role attached to the instance, the kernel ID, security 
groups, subnet ID, the location of the virtual root file systme of the instance and tags for the 
instance. On top of that, the metadata service can be misused to retrieve and extract other data 
than it is supposed to be used for. 

One famous example of this happening would be the Capital One breach, where a SSRF attack 
on the instance metadata service in combination with a misconfigured Web Application Firewall 
(WAF) led to the extraction of sensitive data of over 100 million Capital One customers. [12] 


Azure 

Azure’s solution for Virtual Machines in the cloud is called Azure Virtual Machines. 

Upon creating an Azure Virtual Machine, there are four main VM types to choose from. A 
standard VM, one with preset configurations, an Azure Arc VM or a private one managed by 
VMware, called Azure VMware Solution (AVS). 

For the latter, one has to either be a "Enterprise agreement customer", meaning an enterprise 
with an already existing contract, another CSP or get manual approval from Microsoft for a 
Microsoft Customer Agreement (MCA). This proccess can take up to five business days, but 
since Azure is acting as a middleman here, not actually providing a service, but licensing the 
service of a third party, in this case VMware, AVS is out of scope for this paper. 

In the first and standard use case of creating a normal Azure VM, one must first choose the 
main region and Availability Zone (AZ) and specify, whether one would like to place the VM 
permanently in one AZ on its own or add it to an existing availability set or scale set. VMs 
inside an availability set are not geographically distributed, but reside in different fault domains 
and update domains inside one data center. 

Update domains are logically grouped virtual machines that are restarted together during planned 
maintenance. Azure claims to never restart multiple update domains at a time, so this minimizes 
downtime due to planned maintenance. 

Fault domains, as shown in the graphic below, group virtual machines physically, as all VMs 
inside one fault domain share the same power source, network switch and disk rack, maximiz- 
ing redundancy and therefore resiliency in case of physical hardware failures, power outages or 
network problems. 
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Fault Domain O Fault Domain 1 Fault Domain 2 


Figure 7: Fault domains in Azurc[6] 


Here it is important to note, that, following the shared responsibility model, preventing or re- 
mediating problems inside Azure's data centers is not the customer's responsibility. Azure gives 
the customer the option to minimize the impact of mistakes on Azure’s side on the customer's 
operations. 

For scale sets, all of the configuration options are the same as when creating one singular virtual 
machine. The only difference is that one has to decide whether the scaling orchestration should 
be done with uniform of flexible orchestration. 

Uniform orchestration is for stateless workloads with identical instances as it provisions and shuts 
down instances based on metrics, mainly resource exhaustion. 

Flexible orchestration is for stateful workloads and promises high availability by spreading VMs 
across fault domains. 
An additional configuration that has to be made is the instance security type. In addition to the 
standard option, Azure offers "trusted launch virtual machines" and "confidential virtual ma- 
chines". Trusted launch virtual machines add the option for secure boot, a virtualized Trusted 
Platform Module (vTPM) and integrity monitoring. Confidential virtual machines offer all these 
options as well with the added bonus of operating in a hardware-based trusted execution envi- 
ronment, which provides a higher level of isolation. 

Once the security features are selected, one can then finally choose from a plethora of Linux- and 
Windows-based machine image and between x64 or ARM64 architecture. If a Linux distribution 
is chosen here, an SSH key for connecting to the VM later on will be generated, if one doesn’t 
opt for using a password instead. Alternatively, one can also use an already existing SSH key. 
Basic versions of them are built and distributed by Microsoft themselves, but there is also the 
option to create your own custom images and share them with others or use the ones others 
shared. Using images shared by the community should not be done without careful considera- 
tion, since the images may have been created with malicious intent and thus contain backdoors. 
In addition to that, legal and financial issues might ensue if software is used under terms and 
conditions that may have not been applicable for the initial creator of the image, but some other 
entity that uses the same image, for example if an image was created for research purposes and 
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is then later used to deliver a service, rendering many free open source licenses void. 
Furthermore, one can either select an existing firewall security group or create a new one. This 
security group gives you the option to allow or disallow traffic from anywhere, nowhere or a 
custom range to the instance via HTTP, HTTPS and SSH. The default option is to allow SSH 
traffic from any IP address and disallow HTTP and HTTPS traffic. 

The standard solution for redundancy of disks in Azure is to replicate them within a single data 
center to protect them against server rack and drive failures on Azure’s side, providing a guaran- 
tee of at least 99.999999999% durability. If that is not enough, one can opt for zone-redundant 
disk storage, meaning that the data is replicated in different availability zones. Among other 
things, this mainly remediates the risk of catastrophic failure resulting in the destruction or dis- 
abling of an entire data center and adds another decimal point to Azure’s durability guarantee, 
raising it to 99.9999999999%. 

After basic and disk configurations have been made, the network interface and load balancing of 
the VM have to be configured. Per default, VMs don’t have public IPs, but Azure gives you the 
option to create one. Additionally, VMs have to either be added to an existing virtual network 
or one that is newly created specifically for them. These virtual networks are logically separated 
from each other within Azure. 

Furthermore, one has to choose the NIC network security group for the VM. The basic version 
that is enabled by default restricts inbound traffic to SSH for Linux and RDP for Windows while 
giving the option to also allow HTTP and HTTPS traffic, if the creator of the VM ticks the 
respective boxes. If that is not enough, one can create a custom NIC network security group and 
configure additional rules. 

Once all this has been done the identity and access management for the VM has to be configured. 
There are two basic roles used to login to the VM. Virtual Machine Administrator Login and 
Virtual Machine User Login, giving the user admin or user privileges on the VM’s OS. In Azure, 
the owner of a VM is not automatically the admin or even a user on the VM, so this is not, preset 
by default and has to be configured. 

Then, one can enable several options that are relevant to security and availability, like enabling 
backup services, letting Azure orchestrate patches and enabling recommended alerts, which in- 
cludes alerts if certain thresholds for CPU-, RAM-, DISK IOPS- exhaustion, Network usage or 
VM availability are reached. The thresholds are preset by default, but can be changed. Addi- 
tionally, One can create custom rule names, change the alert severity from "3 - Informational" 
to "0 - Critical", "1 - Error", "2 - Warning", or "4 - Verbose". Furthermore, one can enable dy- 
namic threshold determination, which uses machine learning algorithms to calculate appropriate 
thresholds. By default, these alerts are sent to the account owner’s email and are collected and 
view-able in the Azure Alerts console, but one can also add additional addresses to be emailed 
and enable mobile app notifications. 


GCP 

GCP’s solution for Virtual Machines in the cloud is called Google Compute Engine. Upon 
creation, one can configure the typical options like region, zone and CPU size. Afterwards, 
one can either start one’s own Virtual Machine from scratch with one of many Windows- or 
Linux-based operating systems, or choose a VM with preinstalled applications and software 
configurations from GCP’s marketplace, where these are grouped by licensing type(free, paid, 
BYOL) and purpose (Security, Machine Learning, Big Data, etc.). 

Additionally, if the VM runs on a virtualized AMD EPYC CPU?, one can enable the "Confidential 
VM" option, which adds several security options and capabilities. On the encryption front, 
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confidential VMs use encryption-at-rest, encryption-in-transit and encryption-in-use. The first 
two are also available for normal VMs, but encryption-in-use is exclusive to confidential VMs. 
Another security benefit added by confidential VMs is the availability of a VIPM, which enables 
launch attestation, and a higher degree of isolation. Furthermore, they provide a so called 
"Confidential Space". 

Confidential Spaces provide a Trusted Execution Environment and other safeguards and safety 
features for handling sensitive data in a collaborative approach while implementing Zero-Trust 
principles as demonstrated in the following figure. 


Attestation Workload > Protected cloud 
service , Workload identity pool [~~ M resources 


Resource 


Au 
uthor owners 


Figure 8: GCP Confidential Space concept diagram|7| 


They consist of at least one containerized image run on top of the Confidential VM’s OS, an 
OpenID Connect (OIDC)? token provider for authentication towards the TEE and a protected 
resource like a Cloud Storage bucket or a Cloud Key Management Service that can then be 
accessed through the issued OIDC tokens. In a Confidential Space, there are three role types. 


e Resource Owners control the protected resources. They can modify their data and 
access permissions, as well as the result of the workload, but not access the workload or 
its code, 


e Workload authors create the container image and the application that will be executed 
on by the workload operators on the resource owner’s resources, but they can’t access the 
data or the results 


e Workload operators run the workloads in the Google Cloud project by managing the 
underlying infrastructure that allows the workload to run. They have access to the VM 
instance, the disk and network around it, but not the data, the workload code or the 
results of the workload. 


Regardless, of whether confidential VM services are chosen, one has to select a service account 
for the VM for IAM purposes and choose which GCP Cloud APIs the VM should have access 
to. 

The default is write-only access to Logging and Monitoring, read-only access to Storage and 
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Service Management and read-write access to Service Control which allows the VM to define 
access boundaries within its GCP VPC and to create firewall rules to be applied inside the VPC, 
but one can also choose to give the VM full read-write access to all GCP Cloud APIs or choose 
manually for each GCP Cloud APT. 

Then, one can allow HTTP and HTTPS traffic to reach the VM, both of which are blocked by 
default and configure the network interface. Connecting to the VM via SSH enabled by default 
and SSH keys for this purpose are generated automatically upon VM creation if not specified 
otherwise, as one can also generate the keys manually or disable access to the VM by modifying 
IAM roles and permissions. 
In addition to these configurations, one can make several availability policy decisions, like giving 
the VM a time limit that terminates it after a certain date or an amount of hours chosen by the 
user. This is a configuration element, that can help prevent or at least reduce unnecessary costs, 
vulnerabilities or undetected malicious behaviour through VM sprawl, as having VMs running 
becomes a conscious decision and Virtual Machine (VM)s that are forgotten will be terminated 
after a while. 

Another configuration option that can be chosen is sole-tenancy which will enforce, that physical 
hardware in Azure’s data centers is dedicated to the organization’s or service account’s Virtual 
Machines and ensures that no other organizations’ or service accounts’ Virtual Machines can run 
on said hardware. This provides a higher degree of isolation, as virtualization breakout on other 
VMs does not result in a security threat anymore. 


Summary 

The table below shows a table with the information presented in the Virtual Machine section. 
Since VMs in and of themselves are not a new concept in computing and were one of the 
first cloud computing concepts to be implemented, they are mature form a general and from a 
security perspective, leaving CSPs time to catch up to competitor’s past innovations, so most of 
the features are the same for all three CSPs. 

The feature where they differ is RAM preservation for stopped instances. In Azure, RAM is 
preserved automatically by writing it to the disk before shutown. In AWS one can take an EBS 
snapshot and reinstate RAM from there on, but this is not a default option. In GCP, there is no 
such option, so if one wants that functionality, one has to write a custom shutdown script that 
dumps the RAM and then saves it, but as this requires additional effort on the customer’s side, 
this method is out of scope for the evaluation and thus not counted. 

The availability Service Level Agreement (SLA)s are similar, but not the same. Both AWS 
and GCP guarantee 99.95% availability for single VMs in one availability zone and all three 
CSPs offer 99.99% availability if the VMs are deployed across multiple availability zones. The 
difference here comes from Azure, which offers an availability guarantee of 95% for single VMs 
in a single AZ, if the standard disk option HDD is used, which is worse than it’s competitors 
and offers the option of using a Premium SSD, which is sitll 0.5 percentage points worse than 
its competitors. 
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Feature AWS Azure GCP 

Name Elastic Compute | Azure Virtual Ma- | Google Compute 
Cloud /EC2 chines Engine 

Verified — Machine 


Image providers 


Customizable Ma- | Yes Yes Yes 
chine Images 
RAM preservation 
for stopped in- 
stances 
Secure Boot 
Termination pro- 
tection 
Stop protection 
Sole tenancy 
Trusted execution 
environments 
vIPM 
Instance metadata 
available by default 
Availability SLA | 99.95% 99.5%(Standard 99.95% 
(single AZ) HDD) - 99.9%(Pre- 
mium SSD) 
Availability SLA | 99.99% 99.99% 99.99% 
(multiple AZs) 


Disk encryption at 
rest 


Automated disk 


backups 


Data in use encryp- 
tion 


VM backup service 


Table 1: Summary of the CSP's Virtual Machine implementations 
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The security scores for the different providers are as follows; 


e AWS: 
Use-case A: 5+4+4+4+4+4+4+4+0+5+4+4+4 = 50 out of 65 points 
Use-case B: 5+2+2+2+2+2+2+2+0+5+2+2+2 = 30 out of 65 points 
e Azure: 
Use-case A: 5+5+4+4+4+4+4+4+0+5+4+4+4 = 51 out of 65 points 
Use-case B: 5+5+2+2+2+2+2+2+0+5+2+2+2 = 33 out of 65 points 
e GCP: 
Use-case A: 5+0+4+4+4+4+4+4+090+5+4+4—4 = 46 out of 65 points 
Use-case B: 5—0—2+2—2—2+2—2—0+5—2+2—2 = 28 out of 65 points 


3.2 Container 


Containers are a form of virtualization that gives customers the ability to package software com- 
ponents such as frameworks, libraries and dependencies together with their code. This comes 
with less overhead than virtual machines, since the user doesn’t have to set up and manage a 
the underlying operating system and all that comes with it. 

By abstracting and isolating the underlying infrastructure, container services enable developers 
to focus on writing code while ensuring seamless portability and rapid application delivery across 
multiple environments. 

They are similar to virtual machines, but add additional levels of abstractions and are more 
lightweight making them an ideal solution to use together with the rapid elasticity of cloud com- 
puting. 

They generally are independent from Operating System (OS) because they share the host’s OS, 
are not limited, bound or fixed to certain hardware resources etc. 

This is visualized in the figure below. 

On the left, there is traditional deployment, where several apps were deployed on the same server. 
In the middle, there is virutalized deployment, described in the previous section, where one or 
multiple apps run on virtual machines, which themselves run on server through a hypervisor. 
Then, on the right, one can see the deployment model described in this section, container de- 
ployment, where each app has its own container and multiple containers run on the same server. 
It is important to note, that container runtimes do allocate and isolate hardware resources to 
some degree, this is not as strict as virtualization through a hypervisor. 
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Traditional Deployment Virtualized Deployment Container Deployment 


Figure 9: Traditional Apps, Apps in VMs and containerized Apps 


Containerization is the process of packaging an application so it can be used in a Container. This 
includes writing the reguired dependencies, frameworks and librarires into the container config- 
uration file and creating the application code. The result of this containerization is a container 
image. 

Container orchestration is an administrative task that has little to nothing to do with the con- 
tents of the containers themselves. but managing and automating the deployment and scaling of 
instances of container images as well as their entire lifecycle. 

There are three categories of services offered by CSPs in the context of containers: 


e Serverless Compute Engines for Containers abstract away the underlying infrastruc- 
ture, allowing developers to focus on building and deploying containerized applications 
without managing the associated compute resources. These platforms automatically scale 
container instances based on demand, optimizing resource usage and reducing operational 
overhead 


e Container Orchestration Services offer developers the tools for automating the de- 
ployment, scaling, and management of containerized applications. These services manage 
container clusters, aiming to ensure optimal resource allocation and fault tolerance. They 
provide features such as load balancing, auto-scaling, and service discovery to ensure that 
applications are running efficiently and reliably. It should be pointed out at this point, 
that each CSP has its own specific implementation of a container orchestration service 
facilitated by one of the most popular container orchestration system called Kubernetes*. 


e Container Registries are centralized repositories that store and distribute container 
images, facilitating version control, dependency management, and efficient deployment 
of containerized applications. These registries often provide security features, such as 
vulnerability scanning and access control to ensure the integrity and privacy of container 
images. 


Since the use of containers and container orchestration requires advanced technological and 
architectural know-how, this section will not delve into the process of creating containers and 
orchestrating them via the GUT but only discuss the services and features the different CSPs 
provide. 


“https: / /kubernetes.io/ 
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Since it is the de-facto industry standard for container orchestration, specifically the Kubernetes 
services of the CSPs will be evaluated. 


Kubernetes 

Since the term and concept are important for the later discussion of the respective implementa- 
tions of the CSPs container orchestration services, this short paragraph gives a short overview 
over what Kubernetes is and central concepts that are used. Kubernetes is an open-source 
container orchestration system that automates the deployment, scaling, and management of 
containerized applications, providing a robust and extensible platform for managing container 
clusters. 

Key features include service discovery, load balancing, storage orchestration, automated rollouts 
and rollbacks, automatic bin packing, self-healing and secret- and configuration management. 
[13] 

Kubernetes employs abstractions such as Pods, Services, Deployments and Nodes. According to 
the official documentation, "a Pod [...] is a group of one or more containers, with shared storage 
and network resources, and a specification for how to run the containers."[14]. One or multiple 
Pods then run on a node, which contains all the services neccessary to run Pods[15]. "a Service is 
a method for exposing a network application that is running as one or more Pods in your cluster. 
[...] You use a Service to make that set of Pods available on the network so that clients can 
interact with it."[16]. "A Deployment provides declarative updates for Pods]...]. You describe a 
desired state in a Deployment, and the Deployment Controller changes the actual state to the 
desired state at a controlled rate."[17]. 


AWS 


AWS Elastic Kubernetes Service (EKS)? is AWS’ container orchestration service using Kuber- 
netes. Per the Shared Responsiblity Model, AWS is responsible for "security of the cloud," 
which involves protecting the infrastructure running AWS services. In the case of Amazon EKS, 
AWS is responsible for the Kubernetes control plane, including control plane nodes and the etcd 
database.[18] Additionally, he effectiveness of AWS security is regularly tested and verified by 
third-party auditors as part of AWS compliance programs.|18] 


On the other hand, users are responsible for "security in the cloud," which encompasses sev- 


eral areas like the security configuration of the data plane, such as configuring security groups 
to allow traffic between the Amazon EKS control plane and the customer’s VPC, configuring 
nodes and containers, and managing the node’s operating system (including updates and secu- 
rity patches).[18] Users are also responsible for managing other associated application software, 
setting up and managing network controls like firewall rules, managing platform-level identity 
and access management (either with or in addition to IAM), and ensuring compliance with the 
sensitivity of their data, company requirements, and applicable laws and regulations.[18] 

It is possible to take snapshots of the EKS containers by taking incremental point-in-time snap- 
shots of their respective EBS volumes.|19]. Unfortunately, it is not possible to put nodes or Pods 
in sandboxes that were specifically designed for security purposes. Therefore, additional security 
measures should be applied before deploying untrusted workloads, like using hardened separate 
instances alltogether for them. [20] 

Furthermore, it is possible to restrict an EKS instance’s access to the cluster’s metadata through 
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IAM and since AWS generally employs the principle of least privilege, the access is restricted by 
default unless defined or inherited otherwise.[21] 

Since all of the EKS instances’s network functionalities are managed through AWS services, the 
IP addresses that are automatically assigned to each Pod by Kubernetes itself are either public 
or private, depending on the customer’s VPC configuration.[22] 

AWS relies strongly on the shared responsiblity model and thus ensures kernel page table isola- 
tion on the hardware and hypervisors under its control, but does not provide any options that 
would enable it by default for the customer’s machines or containers, but rather relies on the 
customers to patch their system’s OS.[23] The same goes for disabling simultaneous multithread- 
ing. AWS ensures to disable it on vulnerable CPUs, but it is up to the customer to configure 
their virtualized hardware resources.[24] 

AWS does not provide the possibility to make a Pod’s filesystem immutable and read-only. The- 
oretically, this is achievable through Kubernetes policies, but in the threat scenario of somebody 
overtaking control of the Kubernetes control plane, this measure would fall short. 

AWS provides hardened operating systems with verified boot, which would mitigate such a risk. 
[25] 

Furthermore, AWS does not provide a solution for non-persistent user management on nodes. 
It is of course possible to restrict or give access to the different Kubernetes resources based on 
AWS IAM, but this does not represent the same functionality, as the user management there 
is done by whoever controls the JAM instance, not whoever controls the Kubernetes instance. 
On top of that, a solution using IAM would not work and cause additional work for Kubernetes 
solutions that are CSP-agnostic. 

AWS also provides security-hardened kernels for their EKS Pods and the underlying computing 
structure. [26] 

Per default, incoming traffic is subject to the rules and configuration of the VPC the Kubernetes 
nodes are placed in. Usually, the VPCs allow traffic to the Kubernetes nodes where an interface 
to the internet is needed. In these cases, per default, all traffic to the Nodes and Pods except 
SSH, which is neccessary for authentication, is restricted. [27] 

Kernel Page Table Isolation is not possible, therefore workloads running on the same Pod or node 
could be vulnerable to side-channel attacks. AWS’s solution for this problem is not employing 
Kernel Page Table Isolation, but to isolate the complete workloads into their own Pods. [20]. 
AWS EKS provides a cve-and misconfiguration scanner that orientates itself around the Center 
for Internet Security’s Kubernetes Benchmark and scans for additional CVEs in the deployed 
software inside the containers. [28] 

Instance access management is possible through AWS IAM. [21] 

AWS also provides a feature which automatically updates and upgrades containers, once new 
images are available, making sure, all available security patches are always installed. [29] 


Azure 

Azure, at this time does not have a technology-agnostic service that fully qualifies as container 
orchestration. It does however provide a container orchestration service using Kubernetes, called 
Azure Kubernetes Service (AKS)°®. 

When you create an AKS cluster, Azure provisions the necessary compute, networking, and 
storage resources to support the cluster. Once the cluster is up and running, you can deploy 
containerized applications to it using Kubernetes manifests or other tools like Helm charts. AKS 
automatically manages the scheduling and scaling of containers and can even scale the cluster 
up or down based on demand.|30] 


Shttps: / /azure.microsoft.com/en-us/products/kubernetes-service 
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Under the hood, AKS uses a combination of Azure Virtual Machines, Azure Load Balancers, and 
Azure Managed Disks to provide a scalable, resilient, and highly available Kubernetes cluster. 
It also integrates with other Azure services like Azure Active Directory and Azure Container 
Registry for authentication and container image management.[30] 
AKS uses Azure Managed Disks to manage the persistent volumes for your Kubernetes cluster. 
Azure Managed Disks provide point-in-time snapshots that you can use to create backups of 
your persistent volumes. You can create a snapshot of a Managed Disk by using the Azure 
Portal, Azure CLI, or Azure PowerShell. Once you have created a snapshot, you can use it to 
restore a Managed Disk to a previous state. This can be useful for disaster recovery or forensic 
investigations. [31] 

It is possible to sandbox workloads in Azure Kubernetes Service (AKS). AKS supports a fea- 
ture called AKS Virtual Nodes’ that allows you to run Kubernetes Pods on Azure Container 
Instances (ACI), which provide a serverless compute option.[32] With Virtual Nodes, you can 


offload certain workloads to ACI, which can be useful for sandboxing or isolating workloads from 
the rest of the cluster. For example, you can use Virtual Nodes to run untrusted or experimen- 
tal workloads in a sandboxed environment without affecting the main cluster.[32] However, this 
requires additional effort and does not provide any added security measures. 

By default, Azure blocks API calls to the metadata service. [33] 

Simultaneous multithreading (SMT) is available for Azure VMs, where the virtualized CPUs 
offer the feature and not blocked, thus creating an attack vector. 

By default, public IP addresses are disabled for Kubernetes Pods in Azure Kubernetes Service 
(AKS). By default, Pods running in AKS are assigned private IP addresses from the virtual net- 
work subnet that the cluster is deployed in. This means that Pods cannot be accessed directly 
from the public internet. [34] 

By default, the root file systems of containers in Azure Kubernetes Service (AKS) are not im- 
mutable or read-only. However, it is possible to configure containers to use an immutable or 
read-only root file system if desired through Microsoft Defender for Cloud’s hardening capabili- 
ties. [35] 

AKS uses Azure Virtual Machines (VMs) as worker nodes, and the VMs support a feature called 
"Measured Boot" by default, which provides verified boot. Measured Boot ensures that the 
boot process of the VM is verified by measuring the integrity of each component of the boot 
process, from the firmware to the bootloader to the operating system. This measurement data 
is then stored in a virtualized Trusted Platform Module (vTPM) chip that is built into the VM. 
During subsequent boot processes, the vTPM chip checks the measurement data to ensure that 
the system has not been tampered with and that the boot process is trustworthy. [36] 

Stateless configuration is a common practice in containerized environments, including AKS. 
Stateless configuration refers to the practice of designing and deploying containerized applica- 
tions in a way that does not rely on a persistent state or data. Thereby, AKS has the option to 
make files or volumes persistent, which allows for stateless configuration. |37] 

AKS also provides the feature of cve scanning, with additional capabilities for detecting missing 
security updates of software running inside the containers. [38] 

By default, AKS restricts all incoming and outgoing network traffic to Kubernetes Pods running 
on worker nodes except SSH.[34] Specifically, Pods are not accessible from the public internet by 
default, and only traffic that is explicitly allowed by network policies and other security mecha- 
nisms can reach containers in a Pod..[34| 

On top of the IAM-capabilities Kubernetes provides, instance access management is also per- 
formed through Azure’s IAM service Azure AD and its RBAC capabilities.[39] 


“https: / /learn.microsoft.com /en-us/azure /aks/virtual-nodes 
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AKS also provides a feature which automatically updates and upgrades containers, once new 
images are available, making sure, all available security patches are always installed.|40] 
Finally, through AppArmor, AKS provides hardening kapabilities for the LInux kernel among 
other security features.[41] 


GCP 

GCP’s container orchestration service is called Google Kubernetes Engine (GKE)®. 

Tt has a feature called GKE Sandbox’. GKE Sandbox uses gVisor to emulate most Linux kernel 
API calls in order to limit the direct access of workloads inside Pods that were put inside the 
sandbox to the host kernel itself[42]. Unfortunately, this means that it cannot be used with 
Windows containers. GKE Sandbox is especially useful in cases where parts of the workload 
or the entire load are untrusted. Another added security benefit is, that sandboxed Pods can- 
not access cluster metadata, which regular Pods can unless prevented by network policy[42]. 
The GKE Sandbox also disables simultaneous mulithreading for machine types which are con- 
sidered vulnerable to microarchitectural data sampling'%, a certain type of sidechannel attack 
vulnerability[42]. 

On thing to keep in mind though is, that "Untrusted code running inside the sandbox may be 
allowed to reach external services such as database servers, APIs, other containers, [...]"[42]. 
So, similar to other sandboxes, it is advisable to only use the GKE Sandbox in order to isolate 
untrusted code and workloads from other sensitive data and workloads for ideal results, but not 
as a general purpose security mechanism. 

Per the software’s default, the Kubernetes control plane components use public IP addresses[43]. 
This poses a security threat as it offers attack surface to the public internet. To remediate this 
threat, GCP offers the abiltiy to disable access to the public IP addresses and use private ones 
through the use of authorized networks and private clusters.|43] 

"By default, GKE nodes use Google’s Container-Optimized OS as the operating system on 
which to run Kubernetes and its components. Container-Optimized OS implements several ad- 
vanced features for enhancing the security of GKE clusters."[43] These security features include 
immutable root filesystems, verified boot, stateless configuration, security-hardened kernel, a 
firewall, instance access management, and CVE scanning.[44] 

Immutability and verified boot are ensured, as "The Container-Optimized OS root filesystem 
is always mounted as read-only. Additionally, its checksum is computed at build time and 
verified by the kernel on each boot. Additionally, several other mounts are non-executable 
by default."[44] This prevents potential attackers from gaining persistence in the VM through 
changes to the root filesystem or OS. Stateless configuration provides a solution for the problem 
with user management that is introduced through a read-only root filesystem, as this includes 
the /etc/ directory[44], which usually is used for user management. The stateless configuration 
feature makes /etc/ writeable but stateless|44], meaning that the contents are cleared upon each 
reboot, effectively enabling user management without persistence. 

On the topic of the security-hardened kernel, GCP documentation claims: "Container-Optimized 
OS enables several security-hardening kernel features, including Integrity Measurement Archi- 
tecture (IMA), Audit, Kernel Page Table Isolation (KPTT), and some Linux Security Modules 


3 


(LSMs) from Chromium OS. Additionally, Container-Optimized OS supports security features 


https: / /cloud.google.com/kubernetes-engine 
https: / /cloud.google.com/kubernetes-engine/docs/concepts/sandbox-Pods 
https://www.intel.ca/content / www /ca/en/architecture-and-technology /mds.html 
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like seccomp!! and AppArmor!” that make it possible to enforce finer grained security policies." 
KPTI is a Linux kernel feature that isolates kernel and user spaces. [45] This aims to prevent 
side channel attacks against the kernel memory and to close vulnerabilities that would allow this, 
the most prominent example being Meltdown.!? Seccomp and AppArmor are third party solu- 
tions and thus out of scope for this evaluation, but honorable mentions. The mentioned firewall 
capabilities are simply just dropping any incoming traffic that is not SSH on port 22.[44] While 
this is nothing revolutionary, it is good default behaviour and should therefore find mention here. 
Per default, after creation there are no user accounts on the container’s OS but root and access 
is managed through SSH. GCP offers the possibility to manage access through GCP OS Login, 
which provides centralized Identity and Access Management on an organizational level, relieving 
the container’s maintainer from responsiblities and efforts.[44] The mentioned CVE scanning 
relates to CVEs for packages the container itself or the OS uses, not software that is being used 
or introduced by the customer though. 

The Google Kubernetes Engine supports automatic upgrades for autopilot clusters, taking care 
of any updates for the OS, Kubernetes itself or the container runtime. 


Summary 
The table below shows a table with the information presented in the Container section of this 
thesis. 


“https: / /www.kernel.org/doc/Documentation /pretl/seccomp _filter.txt 
https: //gitlab.com/apparmor /apparmor 
https: / /nvd.nist.gov/vuln/detail/CVE-2017-5754 
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Feature AWS Azure GCP 
Name Amazon Elastic | Azure Kubernetes | Google Kubernetes 
Kubernetes Service 
(EKS) 


Taking snaphsots 


Sandboxing 


If enabled, but un- 
satisfactory 


Service (AKS) 


If enabled, but un- 
satisfactory 


Engine (GKE) 


If enabled and only 
on Linux 


Ability to block ac- 
cess to metadata 


Simultaneous mul- 

tithreading 

Disabling public | If enabled 
Kubernetes IP 

addresses 

Immutable root | If enabled and un- 
filesystem satisfactorily 


Verified Boot 


If enabled 


Stateless configura- 
tion 


Security-hardened 
kernel 


Incoming traffic ex- 
cept SSH allowed 


Instance access 
management 


CVE scanning 


Kernel Page Table 
Isolation 


Automatic upgrade 


If enabled and un- 
satisfactorily 


If enabled and un- 
satisfactorily 


Tf enabled 


If enabled 


If enabled 


Tf enabled 


If enabled 


Table 2: Summary of the CSP’s Container implementations 


The security scores for the different providers are as follows; 


e AWS: 
Use-case A: 
Use-case B: 

e Azure: 
Use-case A: 
Use-case B: 

e GCP: 


Use-case A: 


OT 


OT 


= 
OT 
No 
= 
N» 
ER 
OT 


Ot 
OT 
OT 
OT 


5 = 47 out of 70 points 


5 = 43 out of 70 points 


5 = 58 out of 70 points 


5 = 52 out of 70 points 


5 = 64 out of 70 points 
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Use-case B: 5+1+2+5+2+5+5+5+5+5+5+5+5—5 = 60 out of 70 points 


3.3 Serverless Computing 


Serverless computing. sometimes also called Function as a Service (FaaS), is a cloud computing 
execution model in which the cloud provider is responsible for allocating and managing the 
underlying servers that run the user's application code, as well as all of the environmental 
resources, while the user only selects those environmental! resources initially and then supplies 
their code. 

This allows developers to focus on writing and deploying their code, without having to worry 
about provisioning and managing the underlying infrastructure. 


In a serverless computing model, the user uploads their code to the cloud provider, which then 
runs the code in a fully managed environment. The cloud provider is responsible for scaling the 
underlying infrastructure to match the demand for the user's application, and for ensuring that 
the code runs reliably and securely. 

This is the most lightweight approach to writing, deploying and executing code with as little 
overhead as possible. 


One of the main benefits of serverless computing is that it can be highly cost-effective, as the 
user only pays for the compute resources that their code actually uses, rather than having to pay 
for and maintain a fixed amount of infrastructure. This can make it well-suited for applications 
that have variable or unpredictable workloads. 


Another benefit of serverless computing is that it can make it easy to build and deploy small, 
independent pieces of functionality, known as "functions", which can be triggered by a variety 
of events, such as a user uploading a file or a timer going off. This can make it well-suited for 
building event-driven architectures and for implementing microservices. 


It is important to note that serverless computing does not mean that there are no servers involved, 
it is a kind of abstraction of the servers and infrastructure behind it. The cloud provider takes 
care of the scaling and management, but it is nothing the customer has any influence on, which 
is why its called serverless. 


Common uses cases for serverless computing include, but are not limited to processing file up- 
loads, creating an event-driven workflow, building APIs or running scheduled tasks. 


AWS 

AWS’ service for FaaS is called AWS Lambda. 

The code for AWS Lambda is deployed and run as ‘functions’. These functions are then invoked 
through events in AWS, usually in connection to other AWS services. Examples for these events 
would be the creation of an element in a $3 bucket, a request on the functions unique URL or the 
creation of a virtual machine. There are several configuration options one can choose regarding 
the execution environment of one’s functions. 

AWS offers default implementations for different runtimes of Node.js, Python, Ruby, Go, Java, 
C# and PowerShell. Additionally, AWS offers the option to creating one’s own custom runtime 
to support additional programming languages. The default runtimes are provided with security 


Mbhttps: / /aws.amazon.com/lambda/ 
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updates until they reach their official end of life. In these cases, the runtimes are deprecated in 
two phases with the second phase starting at least 30 days after the first one. 

In phase one, functions can no longer be created using that runtime but one can continue using 
and updating existing ones. 

In phase two, updating is also no longer possible until the runtime is upgraded to a more recent 
non-deprecated version. 

It is important to note, that the invocation of functions is not automatically blocked by AWS, 
even after deprecation phase two. 


Furthermore, AWS Lambda functions can be run either through 64-bit ARM or 64-bit x86 
instruction set architectures. 

Upon creation of a function, it possible to either use existing [AM-roles, use one of AWS’ stan- 
dard role templates or create a new custom one which defines the permission the function will 
have, but all three have in common, that the function must at least be admitted to upload logs 
to Amazon CloudWatch, it’s cloud resource and application monitoring service. 

Additional settings which are optional, but relevant regarding the aspect of security is the cre- 
ation of an URL as an invocation trigger for the function. When enabling the function URL, the 
user is presented with the default option to authenticate URL-invocation-requests via AWS IAM 
or switching to not requiring authentication at all. Finally, enabling code signing and connecting 
your function to a VPC. 


Azure 

Azure’s service for serverless computing is called Azure Functions 
The supported default programming languages in which Azure Functions can be written in are 
CF. JavaScript, F#, Java, PowerShell, Python and TypeScript, but it is also possible to create 
a so called "Azure Functions custom handler" which allows the customer to add support for 
further programming languages. In addition, the user can choose whether the code should be 
run on a Linux or Windows operating system, but other than in AWS Lambda, it is not possible 
to select the instruction set architecture, as at the time of writing of this thesis, only x86 is 
defaulted and therefore the default. 

Furthermore, it is possible to set up a GitHub Actions deployment pipeline which automates 
the building, testing and deployment of commits to the linked git repository. While this does 
not improve security per se, it contributes to security indirectly, as automating code updates 
decreases the amount of effort needed to implement them and therefore increases the likelihood 
of them happening. 

An Azure Function’s execution can be triggered by events from other Azure Services or a call to 
a specific URL which is unique to each function. These triggers are defined during creation. By 
default, all Functions’ URLs are accessible from the internet, but it is also possible to prevent 
this during this creation process and restrict access to certain virtual networks or disable the 
URL altogether. 

Another factor that sets Azure Functions apart from AWS Lambda is that the GUT presents one 
with the option to activate the monitoring service called "Application Performance Management" 
which, collects metrics and application telemetry data and performs anomaly detection on this 
data. In regards to security, this is a desirable feature to detect any attacks and successfully 
combat so called Denial-of-Wallet attacks, which will be further discussed later on in this paper. 
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GCP 

Google’s service for FaaS is called Cloud Functions. 
The supported default programming languages are Node.js, Python, Ruby, Go, Java, C#, and 
PHP. 

A Google Cloud Function's execution can be triggered through a reguest to an unigue URL or 
through various events happening on other Google services. These triggers can be defined upon 
creation of the function. The default trigger is HTTPS behind Google Cloud IAM. 

Access to this URL can then further be restricted to either internal traffic coming from inside 
the same Virtual Private Cloud(VPC) network, traffic from the same VPC and Google Cloud 
Load Balancing or one can choose to keep the default option, which is not restricting traffic at 
all. 

Furthermore, Google is the only CSP who gives you the option to limit the autoscaling feature, 
which helps avoid unlimited costs, but on the other hand opens the function to Denial-of-Service 
attacks. What concessions one is willing to make on the financial risk or the availability side 
depends on the use-case and has no standard answer, but having the choice to decide this for 
yourself is one step towards more security. 

Additionally, there is a default timeout of 60 seconds which can be increased to up to 3600 
seconds which eguals 60 minutes for HTTP-triggered functions and 540 seconds which eguals 9 
minutes for event-triggered functions. 

After this timeout, an error code is returned and CPU resources are throttled down. Alarmingly, 
according to the official documentation, "[...]paused work might continue in the background 
or resume upon a subseguent reguest, which can cause unexpected side effects. A commor 
symptom of this behavior is the appearance that work and logs from one reguest are "leaking" 
into a subsequent request."[46]. The official recommendation here is to either perform your owr 
cleanup shortly before timeout or to set your own timeout within the function which operates 
independly of the GCP-managed timeout. This presents a security risk, as data leakage fron 
one function to the other is possible . At the time of writing of this paper, there were no knowr 
exploits in the wild and penetration testing on GCP is severely restricted. 

Curiously, despite Google Cloud Functions being declared and by most criteria an implementatior 
of serverless computing, the customer can select the size of the allocated RAM for the Functions 
Instance’. This ranges between a minimum of 128 MB and a maximum of 8 GB with the default 
being 256MB. 
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Feature AWS Azure GCP 
Name Lambda Functions Functions 
Default Languages | Node.js, Python, | JavaScript, Python, | Node.js, Python, 
Ruby, Go, Java, | Java, C#, Power- | Ruby, Go, Java, 
C+, PowerShell Shell, TypeScript CH, PHP 
Deployment meth- | Zip, container | Zip, container im- | Zip, container 
ods images, | Web-UT, | age, Web-UT, Cloud | images, Web- 
Cloud — Storage(S3 | Storage(Drobpox, UI, Cloud Stor- 
bucket) OneDrive), Git, | age(GCP Cloud 
Visual Studio, | Storage bucket), 
external URL, | Gitm external URL 
FTP(S) 


accessible 
internet 


URL 
from the 
by default? 


Monitoring avail- 
able during creation 


Default autoscaling 
limit 


Default timout 


3 seconds 


5 seconds 


60 seconds 


Table 3: Summary of the CSP’s Serverless Computing implementations 


The security scores for the different providers are as follows; 


e AWS: 


Use-case A: 5+0+0 — 5 out of 15 points 


Use-case B: 5+0+0 = 5 out of 15 points 


e Azure: 


Use-case A: 0+5 


5 out of 15 points 


+0 = 
Use-case B: 0+5+0 = 5 out of 15 points 


e GCP: 


Use-case A: 3+0+5 = 8 out of 15 points 


Use-case B: 3+0+5 = 8 out of 15 points 
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4 GEOGRAPHICAL DISTRIBUTION 


Another important aspect to consider are laws and regulations around data and privacy. To 
account for any possible problems around cross-border transfer of data in conflict of data privacy 
laws, it is advisable to use datacenters which already reside in the geographical locations one 
wants to operate in. 

Therefore, this chapter reviews and compares the CSP’s coverage of two of the biggest contiguous 
geographical ares regarding data privacy. 

Since whether the content of this chapter is relevant heavily relies on where an organization and 
its customers resides, this chapter will not be included in the scoring portion of the evaluation, 
but rather serves to provide an overview of the degree of coverage. 


4.1 EU - General Data Protection Regulation 


One of the most strict and progressive ones worldwide, which also covers a large geopraphical 
area associated with major economic activity, is the European Union’s General Data Protection 
Regulation (GDPR) 7. Because of this, it shall be used as a benchmark. Among other rules, it 
places restrictions on cross-border transfer of natural persons’ data. "These include[47|: 


1. Transfers on the basis of an ‘adequacy decision’ by the European Commission (Art. 45); 


2. Transfers subject to‘appropriate safeguards’ by the controller “processor on condition that 
enforceable data subject rights and effective legal remedies for data subjects are available 
(Art. 46, Art. 47); and 


3. Derogations for specific situations (Art. 49). 
" 


To put this into relation, the European Comission has only recognized 12 of the 166 UN member 
states outside the European Union itself. The adeguacy decision has been made for Andorra, 
Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, 
Republic of Korea, Switzerland, the United Kingdom and Uruguay|48]. Considering, that all 
three of the evaluated CSPs have their headquarters and many data centers and servers there, 
1t is important to note that the United States of America are not on this list at the time of 
writing of this thesis, due to the Court of Justice of the European Union's decision in 2020's 
Schrems II judgement, which "declared the European Commissions privacy shield decision invalid 
on account of invasive US surveillance programmes, thereby making transfers of personal data 
on the basis of the Privacy Shield Decision illegal"[49] 

In december 2022, the European Comission filed a draft!® for an adequacy decision for the United 
States of America, but the final decision is still pending. 

Thus, since the USA are currently not subject to a derogation as specified in article 49, there 
have to be additional appropriate safeguards for data to be transferred there in order for it to 
be legally compliant. There are two solutions to this problem. 

The first solution would be to not transfer EU citizen's data outside of the European Union. 


https: / /edpr.eu/tag/gdpr/ 
l8https://commission.europa.eu/system/files/2022-12/Draft/20adequacy%20decision%200n% 
20EU-US/,20Data/20Privacy/20Framework_0. pdf 
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e AWS has 5 regional data centers located inside the European Union with an aditional 3 
regional data centers in the United Kingdom and Switzerland, which are inside Europe 
and on the EU's adeguacy decision list. [50] 


e Azurehas4 regional data centers inside the European Union with an additional 3 regional 
data centers located in the United Kingdom and Switzerland, which are inside Europe and 
on the EU's adeguacy decision list as well as 1 in Norway.[51] Norway is not in the European 
Union, but the European Economic Area and thus also bound by the GDPR. [51] 


e GCP Has 8 regional data centers inside the European Union, as well as 2 in the United 
Kingdom and Switzerland which are inside Europe and on the EU's adeguacy decision list. 
A 
[51] 


As this overview show, all three CSPs have several data centers located inside the European 
Union, which makes it possible to process data through cloud computing in a GDPR-compliant 
manner. 

Additionally, if other countries apply regulations that disallow cross-border data traffic, here is a 
list of how the coverage of the three CSPs is for other countries outside the European Union.’ 


e AWS Has 32 regional data centers with their locations including 17 of the G20 countries. 
(all but Saudi Arabia, Russia and Turkey)[50] 


e AzureHas 60 regional data centers with their locations including 17 of the G20 countries. 
(all but Argentina, Russia and Turkey) [51] 


e GCP Has 35 regional data centers with their locations including 17 of the G20 countries. 
(all but Argentina, Russia and Turkey) [52] 


4.2 Asia-Pacific Economic Cooperation - Cross-border Privacy 
Enforcement Arrangement (CPEA) 


Together with the EU's GDPR working group, the APEC has developed and released a "Ref- 
erential on Reguirements for Binding Corporate Rules submitted to National Data Protection 
Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR recognized 
accountability agents." in order to facilitate the design and adoption of personal data protec- 
tion policies compliant with each of the systems. [53] 

It outlines the requirements for Binding Corporate Rules(BCRs) and Cross Border Privacy Rules 
(CBPRs) related to cross-border data transfers, which include obtaining individual’s consent, 
implementing appropriate safeguards, and ensuring that the recipient of the data has adequate 
protection measures in place. In addition, the document discusses the importance of ensuring 
transparency and accountability in cross-border data transfers, as well as the need for ongoing 
monitoring and review of these transfers to ensure compliance with the relevant frameworks. 
On top of that, the APEC has developed the Cross-border Privacy Enforcement Arrangement 
(CPEA)?!, an opt-in privacy enactment framework where all CPEA member’s privacy enforce- 
ment authorities can participate in order to facilitate responsible and lawful cross-border data 


19Due to international sanctions in relation to the Russo-Ukrainina war, operation of data centers in 
Russia by US companies is not possible at the time of writing of this evaluation 
20http://cbprs.org/wp-content /uploads/2020/08/Referential-BCR-CBPR-reqs-3.pdf 
21https: / /www.apec.org/groups /committee-on-trade-and-investment /digital-economy-steering- 
group /cross-border-privacy-enforcement-arrangement 
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transfer. 

At the time of writing of this paper, there are 26 CPEA participants. They are comprised of 
privacy enforcement agencies on federal and state level of the 10 countries of Australia, New 
Zealand, China, Canada, Korea, Mexico, Singapore, United States of America, Japan, and the 
Philippines. 

There are 7 more APEC member states which have not signed the CPEA agreement and thus 
do not benefit from it, which are Chile, Papua New Guinea, Peru, Russia??, Chinese Taipei, 
Thailand, and Vietnam. Of the listed countries, the availability of data centers in each of them 
is as follows: 


e AWS Has regional data centers with their locations including 8 of the 10 CPEA countries 
(all but Mexico and the Philippines) and none of the 7 other non-CPEA APEC countries. 
[50] 

e Azure Has regional data centers with their locations including 9 of the 10 CPFA countries 


(all but the Philippines) and 1(Chile) of the 7 other non-CPEA APEC countries. [51] 


e GCP Has regional data centers with their locations including 7 of the 10 CPEA coun- 
tries (all but China, the Philippines and Mexico, although a datacenter is currently being 
planned for Mexico) and 1(Chile) of the 7 other non-CPEA APEC countries. [52] 


22Due to international sanctions in relation to the Russo-Ukrainina war, operation of data centers in 
Russia by US companies is not possible at the time of writing of this evaluation 
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5 SECURITY SOLUTIONS 


5.1 Cloud Security Posture Management (CSPM) 


Cloud Security Posture Management (CSPM) solutions are tools that help organizations monitor, 
manage, and improve their security posture in the cloud. CSPM solutions provide continuous 
visibility into an organization's cloud infrastructure, identifying security risks, misconfigurations, 
compliance violations, and other issues that could put sensitive data and systems at risk. 


AWS 

AWS CSPM solution is called AWS Security Hub??. AWS Security Hub consumes, aggregates, 
organizes, and prioritizes findings from AWS security services and from the third-party product 
integrations in a format called the AWS Security Finding Format(ASFF)[54]. These security 
services include Amazon GuardDuty, Amazon Inspector, AWS Config, AWS Firewall Manager, 
AWS Systems Manager, AWS IAM Access Analyzer, AWS Health and Amazon Macie.[55] On 
top of that, Security Hub is integrated with the Event Bus AWS Event Bridge, which allows one 
to build automated response and remediation capabilities, but since this is not an out-of-the box 
solution and does not constitute a service, it is out of scope for this evaluation.|55] 

Security Hub offers a collection of automated security controls known as the AWS Foundational 
Security Best Practices standard, curated by AWS security experts. These controls run either 
continuously when associated resources change or on a scheduled basis. Fach control has a sever- 
ity score to help prioritize remediation efforts. It is recommended to enable this standard across 
all accounts and regions, with ongoing updates featuring new controls and extended service cov- 
erage. 

Security Hub automatically gathers and combines findings from AWS security services in your 
environment, including intrusion detection from Amazon GuardDuty, vulnerability scans from 
Amazon Inspector, Amazon $3 bucket policy findings from Amazon Macie, publicly accessible 
and cross-account resources from IAM Access Analyzer, and resources without WAF coverage 
from AWS Firewall Manager. Findings from numerous integrated AWS Partner Network (APN) 
security solutions are also consolidated. Findings are stored in Security Hub for 90 days after 
their last update. 

Security Hub streamlines the process of combining security alerts by introducing the AWS Se- 
curity Findings Format (ASFF). With ASFF, all integration partners, including AWS services 
and external partners, send findings to Security Hub in a structured JSON format with over 
1,000 available fields. This ensures all security findings are normalized before being ingested into 
Security Hub, eliminating the need for manual parsing and normalization. Findings consistently 
present resources, severities, and timestamps for easier searching and action-taking. 

Security Hub also provides additional standards in line with industry and regulatory frameworks, 
such as PCI DSS and CIS AWS Foundations Benchmark, besides the AWS Foundational Secu- 
rity Best Practices standard. These standards are supported by continuous, automated security 
checks, and you only pay once for a security check, regardless of how many standards it applies 
to. 

With Security Hub’s integration with Amazon EventBridge, one can create custom automated 
workflows for response, remediation, and enrichment. All findings are sent to EventBridge, where 
one can create rules targeting AWS Lambda functions, AWS Step Function functions, or AWS 


3https: / /aws.amazon.com /security-hub / 
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Systems Manager Automation runbooks. These functions or runbooks can enrich findings with 
additional data or automate response and remediation actions, but since this reguires significant 
effort from the customer’s side, it is out of scope for this evaluation.[55] 

Security Hub also supports on-demand sending of findings to EventBridge via custom actions, 
allowing an analyst to decide when to trigger an automated action. The Security Hub Automated 
Response and Remediation (SHARR) solution offers prepackaged EventBridge rules deployable 
via AWS CloudFormation.[55] 

Security Hub allows connecting multiple AWS accounts and consolidating findings across them. 
By designating an administrator account, your security team can view consolidated findings for 
all accounts while individual account owners see findings for their accounts only. Integration 
with AWS Organizations enables automatic account enabling with Security Hub and the AWS 
Foundational Security Best Practices standard.[55] 

Security Hub lets you designate an aggregator region and link regions to it, providing a cen- 
tralized view of findings across accounts and linked regions. Findings are continuously synced 
between regions, ensuring updates made in one region are replicated in others. [55] 

Security Hub administrators or delegated administrators in the aggregator region can view and 
manage all findings, while individual member accounts can also view and manage their findings 
across linked regions.[55] 

Security Hub integrates with numerous AWS security services, partner products, and tools for 
ticketing, chat, incident management, threat investigation, GRC, SOAR, and SIEMs. [55] 


Azure 

Azure does not have a dedicated CSPM solution, but provides CSPM capabilities and function- 
alities through its Cloud-Native Application Protection Platform (CNAPP) Microsoft Defender 
for Cloud. Microsoft Defender for Cloud's CSPM features offer comprehensive security man- 
agement, monitoring, and protection for your cloud resources.[56] 

Microsoft Defender for Cloud continuously evaluates your cloud environment against industry 
best practices and compliance standards, providing actionable recommendations to improve your 
security posture.|56| 

Defender for Cloud generates security recommendations based on identified risks and provides 
a Secure Score, which helps you prioritize remediation efforts and track your overall security 
posture over time. 
Defender for Cloud supports a wide range of industry standards and regulatory compliance frame- 
works, such as GDPR, PCI DSS, and NIST, helping you meet your compliance reguirements.[56] 
Microsoft Defender for Cloud extends its security features not only to Azure but also to other 
cloud platforms, including AWS and Google Cloud, providing a unified security management 
experience across multiple cloud environments.[56] 

Defender for Cloud integrates with Azure Sentinel, Microsoft's cloud-native SIEM and SOAR 
solution, allowing you to centralize and correlate security events for advanced threat detection, 
investigation, and response.[56] 

Furthermore, Defender for Cloud supports automation of security tasks, such as remediation of 
misconfigurations, response to security incidents, and enrichment of security findings, leveraging 
Azure Logic Apps and other Azure services.[56] 

Additionally, Defender for Cloud supports RBAC, allowing you to define granular permissions for 
different users, and multi-account management, enabling you to consolidate and manage security 
findings across multiple subscriptions.[56] 

Finally, one can create and enforce security policies and custom rules to ensure compliance with 
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your organization's specific security reguirements, applying consistent security configurations 
across your cloud resources.[56] 


GCP 

CSP CSPM solution is called Security Command Center (SCC). 

It's a centralized security management and data risk platform that provides real-time visibility 
into security posture across Google Cloud resources and offers the capabilities to identify miscon- 
figurations, monitor compliance with industry standards and regulations, and detect threats.[57| 
It continuously evaluates your cloud environment against industry best practices and compliance 
standards, providing actionable recommendations to improve your security posture.[57] 

GCP SCC generates security findings based on identified risks and provides recommendations to 
help you prioritize remediation efforts and enhance your overall security posture.[57 

GCP SCC supports a range of industry standards and regulatory compliance frameworks, such 
as GDPR, PCI DSS, and NIST, to help you meet your compliance reguirements.|57] 

GCP SCC integrates with Google Cloud’s operations suite (formerly Stackdriver), enabling cen- 
tralized monitoring, logging, and alerting for security events and incidents.[57] 

GCP SCC supports automation of security tasks, such as remediation of misconfigurations, re- 
sponse to security incidents, and enrichment of security findings, leveraging Google Cloud Func- 
tions and other Google Cloud services.[57] 

GCP SCC integrates with various third-party tools for ticketing, chat, incident management, 
and security management, providing a seamless security experience across different platforms 
and tools.[57] 

GCP SCC supports RBAC, allowing you to define granular permissions for different users, and 
multi-project management, enabling you to consolidate and manage security findings across mul- 
tiple Google Cloud projects.[57] 

Furthermore, one can create and enforce security policies and custom rules to ensure compliance 
with your organization's specific security reguirements, applying consistent security configura- 
tions across your cloud resources.[57] 

Finally, SCC maintains an inventory of your Google Cloud assets and resources, providing 
visibility into your cloud environment and helping you identify and track security risks and 
misconfigurations.[57] 


Summary 

As the previous paragraphs has shown and the following table visualizes, all three evaluated CSPs 
have great CSPM solutions. The only blemish on AWS’ and GCP’s resume is missing Multi- 
cloud support, but this only becomes a security issue if they are used in such an environment in 
conjuncture with other CSPs that do not offer CSPM solutions of similar quality. 
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Feature 


AWS 


Azure 


GCP 


Name 


AWS Security Hub 


Microsoft 


Defender 


Multi-cloud 
port 


sup- 


Recommendations 
for — Misconfigura- 
tions 


Compliance Man- 


agement 


Automated remedi- 
ation 


Risk management 


Vulnerability scan- 
ning 


SIEM integration 


Multi-account man- 
agement 


for Cloud 


GCP Security Com- 
mand Center 


Table 4: Summary of the CSP’s CSPM implementations 


The security scores for the different providers are as follows; 


e AWS: 


Use-case A: 0 


Use-case B: 0 


e Azure: 


Use-case A: 5 


Use-case B: 5 


e GCP: 


Use-case A: 0 


Use-case B: 0 


OT 


OT 


al 


al 


al 


OT 


OT 


OT 


OT 


OT 


al 


al 


al 


al 


OT 


OT 


OT 


OT 


OT 


OT 


al 


al 


OT 


CT 


OT 


OT 


OT 


OT 


OT 


OT 


OT 


OT 


OT 


OT 


OT 


= 35 out of 40 points 


= 35 out of 40 points 


= 40 out of 40 points 


= 40 out of 40 points 


= 35 out of 40 points 


= 35 out of 40 points 


STEFAN BONEDER 


BACHELOR THESIS 


40 


5.2 Identity and Access Management (IAM) 


Identity and Access Management (IAM) is a systematic and methodological framework used to 
administer and regulate the digital identities of users, devices and other resources within an 
organization. It encompasses a collection of processes, policies, and technologies that enable the 
proper authentication, authorization, and auditing of users while granting access to resources. 


Authentication is the process of verifying the claimed identity of an entity, typically through 
the use of credentials such as passwords, tokens, or biometric data. Authorization is the process 
of granting or denying access to specific resources based on the authenticated identity and its 
associated privileges. Auditing involves monitoring and recording access activities to ensure 
compliance with organizational policies and security regulations. 


In the context of cloud computing, IAM becomes increasingly vital as organizations migrate 
their applications, data, and infrastructure to cloud-based environments. Cloud IAM incorpo- 
rates Identity-as-a-Service (IDaaS) models, which deliver IAM solutions through a cloud service 
provider. This approach enables organizations to manage identities and access controls for both 
on-premises and cloud-based resources, providing seamless integration and consistent security 
policies across the entire infrastructure. 


Cloud IAM solutions typically involve the following components: 


e Single Sign-On (SSO): A user authentication process that enables users to access multi- 
ple applications and services using a single set of credentials, reducing the need for multiple 
logins and streamlining user access. 


e Multi-Factor-Authentication (MFA): An additional layer of security that requires 
users to provide two or more independent factors (e.g. something they know, something 
they have, or something they are) to authenticate their identity 


e Role Based Access Control (RBAC): A method of assigning access permissions to 
users or resources based on their roles within the organization and architecture, ensuring 
that they only access the resources necessary to perform their functions. 


e Privilege Access Management (PAM): A subset of TAM that specifically focuses 
on managing and monitoring access to high-risk resources and sensitive information by 
privileged users, such as administrators or service accounts. 


e Identity Federation: A mechanism that allows organizations to share and synchronize 
identity information across different domains, applications, and systems, enabling users to 
access resources across multiple organizations using a single digital identity. 


SSO, MFA and Identity Federation focus mostly on the security of authentication, user experience 
and user management, while RBAC and PAM are used for managing authorization, which is 
one of the main challenges in cloud security. A key aspect in the context of the cloud that 
is not or at least not as heavily used in traditional computing is, that RBAC policies can be 
defined for entities and resources other than users or accounts. Examples would be certain 
virtual machines having access permissions to other resources, e.g. APIs, independent of the 
VM owner’s permissions. This allows for a very granular implementation of the principle of least 
privilege, as the permissions can be limited to a minimum and separate users do not even have 
to be unnecessarily granted permissions they do not need, just so the resources or workloads the 
manage can use them. 
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AWS 

AWS IAM (Identity and Access Management) provides a set of security-related features that 
help to ensure the security and integrity of cloud-based environments.[58] 

AWS TAM enables users to manage access to AWS resources securely, using AWS-managed 
policies, IAM roles, and IAM users.[58] 

Multi-factor authentication (MFA) is supported for additional security, as are fine-grained access 
controls and role-based access controls (RBAC).[58] 

AWS IAM provides a federated sign-in option, enabling users to use their existing corporate 
identities to access AWS resources securcly. 

AWS IAM provides centralized management of user accounts, access controls, and authentication 
policies, enabling administrators to easily configure and enforce access policies across multiple 
AWS services.[58] 

AWS IAM also supports encryption and secure communication protocols, ensuring that user 
credentials and other sensitive data are protected while in transit.[58] 

Additionally, AWS IAM provides audit and compliance reporting to enable administrators to 
monitor user activity and detect any potential security breaches. 


Azure 

Azure’s IAM (Identity and Access Management) services provide a robust set of security features 
to ensure the security and integrity of cloud-based environments. [59] Azure Active Directory 
(Azure AD) is the identity and access management solution for Azure, providing a range of 
security features such as multi-factor authentication (MFA), role-based access control (RBAC) 
and conditional access policies.|59| 

Azure AD supports integration with on-premises Active Directory, allowing administrators to 
extend their existing identity infrastructure to the cloud. Fine-grained access controls are also 
supported, enabling administrators to set permissions at a granular level. [59] 

Azure AD provides centralized management of user accounts, access controls, and authentication 
policies, allowing administrators to configure and enforce access policies across multiple Azure 
services. Federation and single sign-on (SSO) are also supported, enabling users to access multiple 
cloud-based environments with a single set of credentials.[59] 

Encryption and secure communication protocols are supported to protect user credentials and 
other sensitive data in transit. [59] 

Additionally, Azure AD provides audit and compliance reporting to enable administrators to 
monitor user activity and detect any potential security breaches. Overall, Azure’s IAM services 
provide a comprehensive set of security features to ensure the security and integrity of cloud- 
based environments.|59] 


b) 


GCP 

Google Cloud Platform's (GCP) IAM (Identity and Access Management) services provide a 
robust set of security features to ensure the security and integrity of cloud-based environments 
and a centralized way to manage access control for resources within GCP.[60] 

It supports fine-grained access control and allows administrators to set permissions at a granular 
level. Role-based access control (RBAC) is also supported, enabling administrators to control 
access to resources based on the user's role within the organization. [60] 

GCP IAM also provides multi-factor authentication (MFA) to provide an extra layer of security 
when authenticating users. [60]Federation and single sign-on (SSO) are also supported, enabling 
users to access multiple cloud-based environments with a single set of credentials.[60] 
Encryption and secure communication protocols are supported to protect user credentials and 
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other sensitive data in transit and audit and compliance reporting to enable administrators to 
monitor user activity and detect any potential security breaches are provided. 

Additionally, GCP IAM provides a range of security features such as security key enforcement, 
security logging, and security scanning, to help ensure the security and integrity of cloud-based 
environments. 


Summary 


Feature AWS Azure GCP 
Multi-factor au- 
thentication (MFA) 


Single sign-on 
(SSO) 

Centralized Man- 
agement 


Role-based access 
control (RBAC) 
Audit and compli- 
ance reporting 


Table 5: Summary of the CSP’s IAM implementations 


The security scores for the different providers are as follows; 

e AWS: 
Use-case A: 4+4+5+5+5 = 23 out of 25 points 
Use-case B: 2+2+5+5—+5 = 19 out of 25 points 

e Azure: 
Use-case A: 4+4+5+5+5 = 23 out of 25 points 
Use-case B: 2+2+5+5+5 = 19 out of 25 points 

e GCP: 
Use-case A: 4+4+5+5+5 = 23 out of 25 points 


Use-case B: 2+2+5+5+5 = 19 out of 25 points 
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6 DISCUSSION 


The following table guickly summarizes the guantifiable evaluation results. 
The highest scoring cell for each category is printed in bold in order to visually highlight it. 


Category AWS Azure GCP 

Virtual Machine | 50/65 points=77.0% | 51/65 46/65 points=70.8% 
use-case A points=78.5% 

Virtual Machine | 30/65 points=46.2% | 33/65 28/65 points=43.1% 
use-case B points=50.8% 

Container use-case | 47/70 points=67.1% | 58/70 points=82.9% | 67/70 

A points—95.8% 
Container use-case | 43/70 points=64.4% | 52/70 points=74.3% | 61/70 

B points—87.1% 
Serverless Com- | 5/15 points=33.3% 5/15 points=33.3% 8/15 

puting use-case A points—53.3% 
Serverless Com- | 5/15 points=33.3%% | 5/15 points=33.3% 8/15 


puting use-case B 


points—53.3% 


CSPM use-case A | 35/40 points—87.5% | 40/40 35/40 points—87.5% 
points—100.0% 
CSPM use-case B | 35/40 40/40 35/40 points=87.5% 


points=87.5%% 


points=100.0% 


IAM use-case A 


23/25 points=92.0% 


23/25 points=92.0% 


23/25 points=92.0% 


IAM use-case B 


19/25 points=76.0% 


19/25 points=76.0% 


19/25 points=76.0% 


Table 6: Summary of all results 


With all of this category’s results being within a ten percentage point span, one can draw the 
conclusion, that the virtual machine security solutions of the three evaluated CSPs are of rel- 
atively similar quality. This could be, because virtual machines in general and most concepts 
around them have existed for longer than the concept of cloud computing, so security solutions 
have had time to mature and the CSPs already had a good starting point. 

On the other hand, this could indicate, that more features should be evaluated, so that either 
the differentiation between the offerings becomes clearer or the conclusion, that their quality is 
similar is fortified. That implication is further strengthened by the observation, that both secu- 
rity solutions would have the same score if it were not for Azure’s multi-cloud support breaking 
the tie. 

One noticeable aspect is. that for both Containers and Serverless Computing, the best offering 
for use-case B, which by nature of the scoring system yields a lower score for the same result, 
still outscored the other two CSP’s security solutions for use-case A. 

Another possible takeaway is, that the weights and scores should be adapted to magnify differ- 
ences. 
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7 CONCLUSION 


In the big scheme of things, the Cloud is a relatively new phenomenon with novel ideas, concepts 
and services around the topic being created regularly. This suggests, that the Cloud today is not 
the same as it is going to be in one, two or five years time with drastic changes and disruptive 
innovations likely to happen. 

With that observation comes the necessary conclusion, that the reguirements for security services 
today and their features are not the same today as they will be in the future. 

This thesis has taken a first step towards having an overview and guantifiable data on the dif- 
ferences and similarities of the security offerings of the big three CSPs. An extension of this 
research to further features would help to gain a bigger picture of the realm of cloud security. 
Additionally, one aspect of the security solutions which was not directly evaluated in this paper 
but is nonetheless important are the performance, quality and effectiveness of the respective 
measures like machine learning algorithms for anomaly detection, security scores or intrusion 
detection. 

Also, further research is needed to evaluate how the respective security solutions and their imple- 
mentations of the different CSPs are complemented, which gaps are filled and which completely 
new kinds of security solutions are developed and supported by third parties, either through 
professional services or open source projects and whether including these in an evaluation would 
change the outcome, as most CSPs and solutions not having a perfect score implies, that there 
are gaps in security coverage, which might have been filled by persons and organizations inde- 
pendent of the CSPs who encountered theses problems. 

Another research topic which was not included in the scope of this thesis is the building and 
creation of security solutions and workflows around the CSPs proprietary solutions, using the 
provided general purpose services like serverless computing, event management network flows 
etc. in security specific ways through innovative new ways, or simply to automate and speed 
up already existing security workflows like log collection or the processing of data, which would 
in return yield positive outcomes for the security posture like patch management, mean-time- 
to-respond and mean-time-to-contain security incidents or vulnerability management and topics 
touching it like cost reduction, decreasing decision fatigue and saving on man hours. 
Additionally, if one were so inclined, one could conduct further research with the same method- 
ology, scope and limitations on other Cloud Service Providers than AWS, Azure and GCP, 
extending the evaluation to other CSPs. 
As a final conclusion of this thesis, it can be said, that the goal of furthering the knowledge 
around how the CSPs security solutions compare has been achieved within the scope and limita- 
tions, but further research building upon this thesis and its findings is needed to fully understand 
the topic. 
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